I am wondering whether it is possible to implement a Cloud Foundry-hosted service that other CF applications can subscribe to, with the following requirements, and (more or less) within the existing CF facilities...
The context of the question is converting an existing CF Java based appication to a reusable service that can be deployed only once and reused by other (mulually unrelated) applications, instead of every application (or application set) having to incorporate a privately deployed instance of the service.
In a nutshell, subscribing applications should be able to store their data in the service, and interactive users to access this data. (An example of the data could be messages for a particular user, work items etc. sent by the subscribing applications, and the service is responsible for aggregating them on per-user basis and displaying to a logged-on user the summary of data targeted at him.)
Thus, requirements would be:
CF-hosted applications should be able to dynamically subscribe to (and later unsubscribe from) the service.
Subscribing applications may either share or have different identity providers (IdP's) and UAA instances.
The service has two kinds of endpoints:
endpoints intended for app2service (REST etc.) calls by the subscribing applications
endpoints intended for interactive access by users registred in the IdPs of the subscribing applications
Service's interactive endpoints are (preferably) protected by scopes. It must be (preferably) possible for the service to export its scope definitions to the UAAs of the subscribing applications (or rather for subscribing applications/UAAs to import them at the time of design, deployment or subscription), and for the administrator of a given UAA to assign service-defined scopes to appropriate users registered through this UAA/IdP combo (i.e. one associated with the subscribing application).
4.1. At the barest minimum, interactive endpoints may be left unprotected by scopes, but they should require and trigger authentication (e.g. having "intercept-url access=isAuthenticated()" in their Spring security descriptors). The servlet should be able to retrieve JWT token and identify the user making the request.
There should be a way for a service to associate between userid namespaces and subscription ids.
Two different subscription contexts associated with two different IdP's may both have user "John" but these are two different Johns.
So when user John arrives to an interactive endpoint of the service, the service needs to be able to figure out which IdP/subscription set (and hence data set) this John maps to.
Or, conversely, when a subscribed app performs an app2service call, the service should be able to identify the subscription id of the caller, in an authenticated way, and then figure out which IdP it is associated with.
Either way, it is essential that subscription mechanism provides for an establishment of a mapping between a subscription id and IdP used by a subscribing application; the service will need to know this mapping.
5.1. Not too sure how exactly things are to work out when two different UAA instances point to the same backing IdP.
Perhaps UAA can present its instance identity, but can it be made to present (in the generated JWT tokens) the identity of the backing IdP, and can the latter be signed?
Is it something that existing CF facilities provide for or that can be implemented on top of them with some ease?
Thanks.
Related
We are currently developing a cloud solution that would require 2000+ clients to publish events (1-2 per second) into an Event Hub. We built a prototype that gives each client a Shared access policy (Authorization Rule), and creates a SAS token with a publisher policy as defined here
We thus are able to identify the publisher of each event by inspecting the x-opt-publisher system property, and to revoke access to the Event Hub for each client at any time, without having to resort to token expiry and renewal.
However, we recently learned that the maximum amount of SAPs / Authorization rules is 12, so this solution ultimately will not work.
Is there another solution to this problem? Our goals are:
Avoid having to use token refresh, as this would require adding code to all clients.
Being able to revoke access to the Event Hub instantly in case a client either gets compromised, misbehaves, malfunctions due to a bug, or the associated customer's contract is terminated
Avoid having to use a frontend service authenticating the clients, as we are talking about a substantial additional system load (5000 requests per second)
Avoid having to use IoT hub, as the costs are far higher than with our solution, and we do not need all that functionality
Thanks in advance
You don't need to create a dedicated SAS policy for each device or publisher. Please note that a publisher should only own a token signed for itself and should not be able to access the SAS policy key.
Feel free to check the publisher policy document here for more details.
I am working on a NodeJS application which exposes some APIs. This APIs can be accessed by different vendors (Without any browser). Now I want to know what is the best way to Authentic/Authorize these vendors using AWS Cognito service?
Should I give a client ID (Username) and API_KEY (Password) to my vendors and Validate it through cognito for every subsequent requests. (As of now it is already implemented from the Database)
[OR]
Should I generate a access and Id token for the vendor with MAX validity and give it to the vendor. (I understand this isn't the best practice)
So what should be the best way to achieve this?
Define app clients in your user pool, one for each of the "foreign" servers. When you create them Cognito will generate an app client id and a secret (if you check that box...and you should check it). In "App client settings" (AWS Console for Cognito) you tell it the client will use "Client credentials." Finally, define whatever custom scopes you think you can leverage to provide finer control of access. These can be different for each client.
Now the foreign server can authenticate/get-authorization by passing in the app client id and the secret, etc., etc. Usual Cognito stuff.
I am designing a product which would be deployed to AWS. It will use Cognito for user authentication. It will be a multi-tenant application.
The application has many modules/features. The pricing depends on the features selected by the client.
Please provide guidance on how can I implement a check if the feature is licensed or not. I don't want to put the logic inside each web api endpoint.
You should create an application microservice (callable via a API, but with access locked down to your own application) that receives information such as:
Authenticated User ID
Service wanting to be accessed
Resource-level information in case you want fine-grained access control
The authentication microservice would consult a database, apply appropriate business logic and return a success indicator.
Preferably:
Each request should be logged in an audit trail
If access is denied, return an error message that could hint at the reason why (eg 'This feature is requires subscription to the XYZ module')
Use some form of cache to make the queries super-fast (eg DAX for DynamoDB, or ElastiCache)
Licensing systems can often be more complex than actual applications!
I'm working on developing my first SOA web-based application. I'm extremely new to SOA and still trying to wrap my head around best design principles for service design, especially in the way that services should talk to another.
The current problem I'm trying to figure out has to do with authentication and authorization. Lets say I have a trivial user service and event service, where the event service represents events in a calendar. Is it general practice to have the event service call the user service to authorize the request? Or, would it be better practice to implement user authorization on a system that exists between the client and the requested service? The system, which is essentially just another service, checks to user credentials to make sure they have access to the requested action (GET events/1, etc) and if so, sends the request to the service. This service could also act as a central load balancer and cache...I just like the idea of keeping user logic outside of each specific service.
You can use siteminder as authentication and authorization. Only the client who has valid token can invoke the service. you could also have roles assigned in siteminder.
I'd like to run some stateless Java services on the Bitnami stack on AWS that will be consumed by apps... and of course to access these I'd need some type of authentication and authorization.
Previously with this type of architecture I've chucked an API gateway in front of them, to which the developer would subscribe. And AWS provides an API gateway, nice.
HOWEVER, while reading up on how to set this up on AWS I came across 'AWS Cognito' which is supposedly designed specifically for this same purpose.
So my question is are these two solutions comparable - are they doing the same thing?
And if-so, then what are the pros and cons of each, when would choose one over the other?
Basically because you are targeting the user level you should use Cognito; as it does provide you with authentication, reseting passwords for the user, and of course
signing up workflow. Moreover it provides user information to the admin, as well as two factor authentication, by using the user's mobile phone.
If you want to authorize the application to use an api then you use the API Gateaway.
The Cognito, is designed for user interaction it has an api for Java, JavaScript, iOS, and Android, so you can
implement the interaction with it at any level; as you wish. You also not getting changed if your user base is less than 50k.